To: cypherpunks@toad.com
Subject: President's Export Council advisors consider Encryption Policy
Date: Sun, 07 Jun 1998 21:38:57 -0700
From: John Gilmore <gnu@toad.com>
[Largely bureaucratic, but there may be some interesting nuggets.
This is an advisory group to watch over exports in general, with a
subcommittee that is chartered to watch over encryption issues. --gnu]
EXECUTIVE SUMMARY
PRESIDENT'S EXPORT COUNCIL SUBCOMMITTEE ON ENCRYPTION
APRIL 23, 1998
SUMMARY OF OPEN SESSION
The open session of the President's Export Council Subcommittee on
Encryption (PECSENC) was called to order at 8:30 a.m. Mr. Adorjan noted
the Committee's mandate and described the framework and agenda of the
meeting. He then described the proposed focus of the Subcommittee
working groups on U.S. regulation and legislation, international, and
technology. He emphasized that the objective would be for each working
group to address the many subjects related to encryption export policy
from the perspective of the primary topic. He noted that as the working
groups made progress on issues, they would bring recommendations for
decision to the entire Subcommittee. He added that each working group
would issue individual reports or recommendations rather than waiting
for an integrated report of all three working groups. He again noted
his hope that the work of the three groups be integrated further on in
the process. He commented that there had been discussion of a fourth
group focused on law enforcement, but concluded that it would be more
valuable to integrate law enforcement issues into the work of the three
groups because of its impact on these areas. He then described the
proposed list of working group participants and possible chairs, noting
that his goal was to get a balanced representation of members within
each group. He said that during the afternoon breakout sessions, he
would like each working group to reach a set of decisions on the scope
and approach of its work plan, and the timetable for completion.
Mr. Adorjan then discussed how the PECSENC, as a Subcommittee of the
President's Export Council, would communicate any formal activity to the
Administration, noting that the process used by the PEC Subcommittee on
Export Administration (PECSEA) worked well. He described this process,
and explained that any proposals to send reports or letters to the
Administration were submitted by the Subcommittee Chair to the PEC Chair
for distribution to Committee members, with the PEC staff coordinating
this effort.
Mr. Adorjan then commented on Mr. Stewart Baker's e-mail recommendation
to submit a letter urging the Administration to move forward on the
financial institutions regulation which had been pending. He agreed
with Mr. Baker's assessment that the Subcommittee should focus not only
on long-term issues, but also intervene in short-term issues. Mr.
Adorjan added that issuing a letter to the Administration with support
of PEC and Subcommittee members was an effective means of bringing a
topic to the forefront. He then suggested that the working groups
address such time sensitive issues, as appropriate, and formulate
recommendations for circulation throughout the entire Subcommittee. Mr.
Adorjan then asked for any comments with regard to the working group
activities. As there were none, he turned to the issue of membership,
noting that the PECSENC had 23 members with approximately 30 total
members planned. He added that at the previous meeting, members had
discussed the importance of having a cryptographer and insurance
industry representative as members. He assured members that the
department was pursuing these recommendations.
At the request of Subcommittee members, Under Secretary Reinsch
discussed Secretary Daley's recent remarks to a group of information
technology associations regarding the release of the Commerce Department
report titled "The Emerging Digital Economy." Mr. Reinsch noted that
while the report focused on electronic commerce, the Secretary also took
the opportunity to comment on the encryption debate. He emphasized that
the Secretary supported the President's policy to balance national
security, privacy, and commercial interests, but believed that
implementation of the policy had not been as successful as it should
be. He added that if it could not be implemented successfully, the
victims would be the law enforcement community and U.S. business, as
foreign products would become more dominant. With respect to the
ability of the United States to impact the activities of foreign
countries on encryption, Mr. Reinsch noted that each country that
confronted the issue had to work out the debate in its own way.
Responding to Mr. Lynn McNulty's request for views on the Economic
Strategy Institute's report entitled "Finding the Key, Reconciling
National and Economic Security Interests in Cryptography Policy", Mr.
Reinsch noted that while the report did not offer alternatives, it
demonstrated that balancing the competing interests in the debate was
difficult.
Mr. Adorjan then introduced the first presenter in the Justice
Department's threat assessment briefing, Mr. Charles Barry Smith,
Supervisory Special Agent, Office of Public and Congressional Affairs at
the Federal Bureau of Investigation. Agent Smith began by stating that
law enforcement was supportive of strong encryption to protect privacy,
but that it would be adversely impacted by commercially available
non-recovery encryption products. He discussed the legal issues related
to wiretapping, describing it as a technique of last resort done under
strict judicial procedures. He then described the adverse impact of
non-recovery encryption on law enforcement's ability to perform search
and seizure of criminally related electronically stored data. He
provided case examples where electronic surveillance had been used
successfully and described high-profile cases where encryption played a
role. In response to Raymond Humphrey's question as to whether or not
criminals would use key recovery products, Agent Smith said that past
experience showed that criminals tended to use what was generally
available, citing the use of cellular phones as an example. Ambassador
Katz raised the issue of whether it was too late to reverse the impact
of the general availability of non-key recovery encryption. Agent Smith
responded that at this point encryption was just an added feature, but
would soon become integrated into products and user-friendly, resulting
in increased use. In response to Ms. Simons' question of the issue of
domestic controls, Agent Smith noted that law enforcement was in fact
concerned about the proliferation of non-recovery products within the
United States, as well as the impact of imports of such products. Agent
Smith emphasized that law enforcement did not advocate that the
government be the holder of the information or key, but that it have
access to information pursuant to lawful authority without having to go
to the individual who may be engaged in the illegal activity.
Adorjan then introduced the second Justice Department speaker, Mr. Scott
Charney, Chief of the Computer Crime and Intellectual Property Section
in the Criminal Division of the Justice Department. Mr. Charney began
by commenting that his office was a large proponent of using
cryptography to protect systems for both authentication and privacy and
commerce purposes based on its experience with hacker cases. He noted
that if information was encrypted, it was not as much of a concern if
hackers gained access to it. He said that the question to ask was
whether the public wanted the kind of infrastructure that helped
criminals protect themselves because products were unbreakable and law
enforcement had no access to data, or the kind of infrastructure where
the public got the benefits of robust cryptography but where it did more
to preserve public safety. Mr. Douglas McGowan asked about the method
of controlling keys for individual users of key recovery encryption
outside of the corporate environment. Mr. Charney responded that there
were many ingenious ways to implement the technology which allow people
to retain control to information and keys while providing for government
access with the necessary authority. He added that there were ways to
implement key recovery that offered benefits for the consumer and public
safety, and used the example of "self-wrapping" encryption. Mr. Donald
Goldstein noted that there was evidence that the public was relatively
trusting and accepting of key management and recovery techniques, citing
the example of ATM card usage. He cautioned that the network might
become unreliable if a vulnerability was introduced which could result
in the public not trusting the system anymore. Mr. Chaney responded
that this vulnerability was far less than what existed in today's
plaintext world and that an expectation of zero risk on networks was not
realistic. He added that there needed to be a balance of benefits and
risks and that it was difficult to quantify risks to privacy versus
public safety.
There was also a general discussion with Messrs. Smith and Charney on
related issues, including the concept of a "Net Center", the policies of
other countries, imports of non-recovery encryption, the difficulty in
designing different products in different markets, the possibility of a
single law enforcement standard, economic intelligence and espionage,
including losses to the economy if robust encryption was not available,
the need for real time access to encrypted communications, and the
ability of law enforcement to solve crimes in the future if constrained
by non key-recovery encryption products. Mr. Anthony Pentino of the
National Security Agency suggested that law enforcement might find a
better way to communicate its position beyond the congressional level to
the general public at large to counter what appeared to be an
exaggeration of privacy concerns fostered by its detractors. Ms. Simons
then asked that in the future, the Subcommittee members have the
opportunity to submit questions to speakers. Mr Adorjan suggested that
these questions be conveyed through the working groups.
Mr. Linton Wells from the Department of Defense commented that Deputy
Secretary of Defense John Hamre recently spoke to NATO allies in
Brussels regarding the importance of each country developing national
solutions on encryption. He noted that Hamre's point was that
encryption needed to be regarded not just from commerce and law
enforcement standpoint, but as a national security issue as well. As
NATO moved from military dedicated command and control to public
networks, strong identification, authentication, and interoperability
were crucial. He also noted that with respect to the Defense
Department engaging in electronic commerce, key recovery encryption
would be necessary from an internal control standpoint. Mr. Adorjan
agreed that this issue was not unique to the Defense Department, but
corporations as well.
Turning to the briefing foreign activities, Mr. Adorjan introduced Ms.
Michelle O'Neill, Executive Director to Ambassador Aaron and Mr. James
Lewis, Director of the Office of Strategic Trade and Foreign Policy
Controls. Ms. O'Neill began by explaining that Ambassador Aaron, who
was unable to attend the meeting, had been appointed as Special Envoy
for Cryptography in November 1996. The goal of his discussions with
other countries was international consensus on the development of key
management and key recovery architectures that would foster robust,
dependable security for global information infrastructure while
protecting public safety and national security. She said that two key
issues were the need for harmonized export control policies and the
development compatible infrastructures, as it was clear that no widely
used encryption system or any successful national policy would be
possible without international cooperation. She also noted that while
governments must provide appropriate policy framework, the task of
building this infrastructure would lie with the private sector. She
said that through Ambassador Aaron's discussions, they had learned that
while most governments were behind the United States in development of
encryption policies, each shared the same concerns as the United States
in trying to strike the right balance.
Mr. Lewis' discussion focused on multilateral controls on encryption
exports. He began by noting that a number of countries controlled the
export of encryption, but that the task was to modernize encryption
export controls to reflect today's environment and agree to the
implementation of common policies. He added that most governments had
common concerns about role of encryption in society. He noted that the
U.S. objectives with respect to encryption policy were law enforcement
access, use of recoverable encryption, and promotion of electronic
commerce. He then explained the history and structure of Wassenaar
Arrangement and outlined the issues that the forum was considering with
respect to encryption, including moving to a positive control list,
consideration of the treatment of commercial encryption products given
widespread commercial use, treatment of software and intangible
technology (phone conversations, faxes, Internet transmissions),
decontrol levels, and transparency in reporting. He said that the
United States had raised encryption as an issue for discussion at the
last Wassenaar Arrangement plenary in December 1997 and asked countries
to adopt similar policies as the United States. He indicated that given
the scope of the issues under consideration, he was not sure that
resolution would happen anytime soon. He added that Ambassador Aaron's
group was finding that other countries were moving slowly in the U.S.
direction and had more sympathy for the U.S. position than it would
appear. There was a general discussion of the issue of mass market
encryption software, the treatment of intangible technology and the need
to develop a common approach on encryption.
Following the lunch break and the meeting of the non-public working
group sessions, Chairman Adorjan reconvened the Subcommittee at 3:00
p.m. He asked each group to give a report on its discussions and began
with Mr. Gant Redmon and the working group on technology. Mr. Redmon
began by noting that the issue of interoperability was a key part of the
group's discussion and said that building key recovery was not an
impossible project (with respect to stored data). He said that from a
technological standpoint, interoperability could cause a great deal of
difficulty in terms of those products that have key recovery and those
that do not. He also noted the strong domestic impact of export issues
and other pressures to create encryption products a certain way. With
respect to mass market software, he said that the working group
generally agreed that 56 bit encryption products were the de facto
standard.
Mr. Adorjan then turned to Ambassador Katz for a briefing on the
international working group discussion. Katz noted that the first task
they agreed to focus on was developing an understanding of the state of
current encryption policies, including foreign availability and policies
of other governments. He said that the working group would seek
briefings from government and the private sector and perhaps survey
suppliers and users. He indicated that the group had identified another
issue: whether export control policy is the most effective instrument
to meet broader objectives of law enforcement, national security, and
privacy. He finished by noting that the working group planned on
completing its information gathering prior to the September meeting and
would then work on policy recommendations.
Mr. Adorjan then turned to the Regulatory and Legislative working
group. Mr. Richard Barth began by noting that the working group had
considered the letter drafted by Mr. Baker and supported it with minor
edits. He added that they felt that the issue of raising the decontrol
level to 56 bit encryption products could be included as a second
point. He then noted that the group had agreed on a set of operating
principles for themselves and perhaps for the use of the entire
Subcommittee. These included the objective of balancing the interests
of law enforcement, privacy and national, seeking this balance via
market driven forces and, where necessary, taking a legislative
approach. He concluded with a request for a panel briefing on the
legislative environment and a briefing on the export control
requirements on encryption.
Adorjan agreed that briefings on three issues would be useful,
specifically briefings on the status of legislative issues, export
policies and administration, and international threat briefing by the
National Security Agency. With respect to these briefings, he would ask
the presenters to provide topical outlines in advance of the briefings.
Mr. Adorjan said he looked forward to the working groups developing a
defined scope of work by the next meeting, and suggested that they
interact by e-mail. He added that the working groups did not need to
get consensus, but that the long term objective was to formulate a set
of recommendations. Finally, he noted that he and Under Secretary
Reinsch would invite Secretary Daley to participate at the June 22
meeting. Mr. Adorjan asked if there were other issues to be discussed.
As there were none, he adjourned the session at 3:35 p.m.